[lug] Strange port scan
warren at sandersonline.org
Fri Nov 19 11:33:47 MST 2004
I had a strange report of a port scan from a well known IP last night.
I did a presentation at my local LUG on SmoothWall. Part of the demo I
was going to show the VPN features. So I needed to shell into my box at
work to get some addys. Unfortunately it wasn't answering. Later while
showing the log screens of the SW web interface, I noticed the intrusion
detection log had three detected scans from my work IP which I was
trying to shell into earlier! Stumped. Chatting this morning between
some who were there last night about this has gotten nowhere. Maybe
someone here could offer some reasoning?
This is the network topology at my work:
The router has a public IP running NAT --> port forwarding to my
workstation box for ssh .
I received a /30 to test my SmoothWall with and they added .28 to the
router for this test.
The SW is sitting on a 10 base hub using a .30 (SW's Red) and it's
gateway is .29. The hub branches off an unmanaged switch. The 5 port
switch sits off the router (so there was no more room at the Inn okay).
SW's Green is also on the same 10 base hub.
My ssh box, sitting on the LAN, was set to use the SW as it's default
route. It ping tested okay for VPN to other SW boxes I had set up
remotely. So I couldn't ssh in most likely because my box's route was
set to the wrong route I presume. So the traffic was trying to come
back out the SW causing the port scan?
Another tidbit; I am unable to ssh to the SW of a remote SW with an
active VPN connection. Is that because it sees some sort of spoofing
going on and no private IP can connect to the Red anyway? Since setting
my default route back to point at the router I have no problems shelling
out and back in again.
Your insight is appreciated, thanks and yes I am posting this on the SW
forum as well.
Family Photo Galleries
More information about the LUG